- djm@cvs.openbsd.org 2007/06/12 11:15:17

     [ssh.c ssh.1]
     Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
     GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
     and is useful for hosts with /home on Kerberised NFS; bz #1312
     patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@

3 files changed, 19 insertions, 6 deletions

diff --git a/ChangeLog b/ChangeLog
index 41c47d2ab..890625fa2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,12 @@
      fix slave exit value when a control master goes away without passing the
      full exit status by ensuring that the slave reads a full int. bz#1261
      reported by frekko AT gmail.com; ok markus@ dtucker@
+   - djm@cvs.openbsd.org 2007/06/12 11:15:17
+     [ssh.c ssh.1]
+     Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+     GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
+     and is useful for hosts with /home on Kerberised NFS; bz #1312
+     patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
 
 20070611
  - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
@@ -3037,4 +3043,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4693 2007/06/12 13:41:33 dtucker Exp $
+$Id: ChangeLog,v 1.4694 2007/06/12 13:43:16 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index 6b76c1c0e..336d851dd 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.268 2007/06/07 19:37:34 pvalchev Exp $
-.Dd $Mdocdate: June 7 2007 $
+.\" $OpenBSD: ssh.1,v 1.269 2007/06/12 11:15:17 djm Exp $
+.Dd $Mdocdate: June 11 2007 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -315,6 +315,9 @@ It is possible to have multiple
 .Fl i
 options (and multiple identities specified in
 configuration files).
+.It Fl K
+Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
+credentials to the server.
 .It Fl k
 Disables forwarding (delegation) of GSSAPI credentials to the server.
 .It Fl L Xo
diff --git a/ssh.c b/ssh.c
index 74c9a091b..5155da791 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.296 2007/06/12 11:11:08 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.297 2007/06/12 11:15:17 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -185,7 +185,7 @@ static void
 usage(void)
 {
         fprintf(stderr,
-"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+"usage: ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
 "           [-D [bind_address:]port] [-e escape_char] [-F configfile]\n"
 "           [-i identity_file] [-L [bind_address:]port:host:hostport]\n"
 "           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@@ -272,7 +272,7 @@ main(int ac, char **av)
 
  again:
         while ((opt = getopt(ac, av,
-            "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) {
+            "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:XY")) != -1) {
                 switch (opt) {
                 case '1':
                         options.protocol = SSH_PROTO_1;
@@ -326,6 +326,10 @@ main(int ac, char **av)
                 case 'k':
                         options.gss_deleg_creds = 0;
                         break;
+                case 'K':
+                        options.gss_authentication = 1;
+                        options.gss_deleg_creds = 1;
+                        break;
                 case 'i':
                         if (stat(optarg, &st) < 0) {
                                 fprintf(stderr, "Warning: Identity file %s "